How to reason about CVEs packaged in other open source software
I am reasoning about how to form a policy on CVEs found in software components that do not come from the software itself, but comes in a built-in dependency of that software.
Take the example of a software component built on Java maintained by organization X. That would typically come packed with a lot of 3rd party dependencies that may have CVEs. Scanning that software component may then find a vulnerability CVE-Z in a dependency of the software component that comes from another another organization Y.
It will in many scenarios require a lot of work to understand if this CVE-Z is a problem in that software component. And there will often be a lot of "embedded CVEs". I myself assume that most actively maintained servers will update if they suffer from high rated CVEs in embedded libraries, but I am not willing to trust that 100% Has anyone some good reasoning on how to think about this and work with it?
